Last updated: March 20, 2026 | Governed by the Digital Personal Data Protection Act, 2025
CognoShift Security Pvt. Ltd. ('CognoShift', 'we', 'us', 'our') is a company incorporated under the Companies Act, 2013, providing hardware compliance monitoring and DPDP (Digital Personal Data Protection) Act 2025 compliance-as-a-service to schools, hospitals, MSMEs, and government bodies in India.
For the purposes of the DPDP Act 2025, CognoShift acts as both a Data Fiduciary (for data we collect about our customers) and a Data Processor (when we process personal data on behalf of our customers).
Registration data: Organisation name, official email address, sector type, and payment information (processed by Razorpay — we do not store card/UPI details).
Hardware telemetry (anonymised): The CognoShift Sentinel agent collects hardware compliance signals — firewall status, hardware fingerprint (SMBIOS UUID or MAC-based hash), and a count of risk-flagged processes. Raw IP addresses are HMAC-SHA256 hashed before leaving the endpoint. Raw process names are replaced with a count only. No browsing history, keystrokes, files, or personal communications are ever collected.
Parental consent records (DPDP §9): Guardian name, HMAC-hashed student identifier, consent type (GRANT/WITHDRAWAL), and OTP-verified mobile number (stored as a one-way hash). No Aadhaar numbers, biometric data, or financial data are collected.
Support communications: If you contact us via email or the AI chatbot, your message content is processed to provide support.
Hardware telemetry is processed solely for: DPDP compliance monitoring, cybersecurity threat detection (CERT-In Directive 2022), and generation of audit reports for your organisation.
Registration data is processed to: provision your license, process payment, deliver your license key, and provide ongoing support.
Parental consent records are processed to: maintain an auditable consent ledger compliant with DPDP Section 9 / Rule 10.
We do not sell, rent, or share your data with any third party for marketing or commercial purposes.
Hardware telemetry (compliance_logs) is automatically purged exactly 365 days after creation via a Supabase pg_cron trigger. You do not need to take any action.
Consent records are retained for the duration of the consent, plus 1 year after withdrawal for audit purposes.
Registration records are retained for the duration of your subscription plus 3 years for tax/legal compliance.
You may request immediate deletion of all your data at any time via the Right to Erasure feature in your Tenant Portal (DPDP §12).
Right to Access (§11): You may request a summary of personal data we hold about your organisation at any time.
Right to Correction (§12(b)): You may request correction of inaccurate personal data.
Right to Erasure (§12(c)): 1-click data deletion is available in the Tenant Portal. This purges both our cloud database and triggers a shred of the local encrypted vault on your endpoints.
Right to Grievance Redressal (§13): Contact our DPO at dpdp@cognoshift.in. We will respond within 30 days.
Right to Nominate (§14): You may nominate a representative to exercise these rights on your behalf.
Data in transit: TLS 1.3 mandatory. HSTS enforced with 1-year max-age.
Data at rest (cloud): Supabase AES-256 encryption. Row-Level Security (RLS) enforced on all tables.
Data at rest (edge): AES-256-GCM with scrypt key derivation. Authenticated encryption with auth-tag verification.
IP anonymisation: All IP addresses are HMAC-SHA256 hashed with a per-tenant key before being stored. Raw IPs are never persisted.
No raw PII in telemetry: Enforced by the Critic module in the Sentinel agent before any data leaves the endpoint.
Supabase (PostgreSQL database): Hosted in South Asia (Mumbai / AWS ap-south-1), India. Data at rest and in transit remains within India. Confirmed March 2026. See supabase.com/privacy.
Razorpay (payment processing): PCI-DSS Level 1 certified. We do not store any card, UPI, or banking credentials.
Resend (transactional email): Used only for OTP delivery and license key emails.
Anthropic (AI support chatbot): Support chat messages are sent to Claude API for processing. No persistent storage of chat history. See anthropic.com/privacy.
CognoShift does not use tracking cookies, advertising cookies, or any third-party analytics. The portal may use session cookies only for maintaining authentication state. These are strictly necessary and cannot be disabled without breaking portal functionality.
CognoShift does not directly collect personal data from children. Our school customers collect DPDP-compliant parental consent before monitoring student devices. Student identifiers are HMAC-hashed and never stored in plaintext. If you believe we have inadvertently processed a child's personal data, contact us immediately at dpdp@cognoshift.in.
Data Protection Officer: dpdp@cognoshift.in
General Privacy Queries: privacy@cognoshift.in
Postal Address: CognoShift Security Pvt. Ltd., Haryana, India (registered office address to be updated upon incorporation)
Response time: We aim to respond to all privacy queries within 30 days as required by DPDP Act 2025 §13.